From 454690135895ef188b8771fd98911c691ba02052 Mon Sep 17 00:00:00 2001 From: David Andersen Date: Tue, 18 Jul 2023 14:13:13 -0700 Subject: [PATCH] object is a child of request --- src/dsmlp/app/validator.py | 4 +- tests/app/test_validator.py | 95 ++++++++++++++++++------------------- 2 files changed, 48 insertions(+), 51 deletions(-) diff --git a/src/dsmlp/app/validator.py b/src/dsmlp/app/validator.py index e5994e3..df2348b 100644 --- a/src/dsmlp/app/validator.py +++ b/src/dsmlp/app/validator.py @@ -47,13 +47,13 @@ class Object: @dataclass class Request: namespace: str + object: Object @dataclass_json @dataclass class AdmissionReview: request: Request - object: Object class UidValidator: @@ -88,7 +88,7 @@ def validate_request(self, request): user_uid = user.uid namespace = self.kube.get_namespace(username) - spec = review.object.spec + spec = review.request.object.spec uid = spec.securityContext.runAsUser if user_uid != uid: diff --git a/tests/app/test_validator.py b/tests/app/test_validator.py index cba8b30..bd47562 100644 --- a/tests/app/test_validator.py +++ b/tests/app/test_validator.py @@ -26,14 +26,14 @@ def test_pod_security_context(self): { "request": { "namespace": "user1", - }, - "object": { - "spec": { - "securityContext": { - "runAsUser": 1 + "object": { + "spec": { + "securityContext": { + "runAsUser": 1 + }, + "containers": [] }, - "containers": [] - }, + } } } ) @@ -49,19 +49,19 @@ def test_security_context(self): { "request": { "namespace": "user1", - }, - "object": { - "spec": { - "securityContext": { - "runAsUser": 1 - }, - "containers": [ - { - "securityContext": { - "runAsUser": 1 + "object": { + "spec": { + "securityContext": { + "runAsUser": 1 + }, + "containers": [ + { + "securityContext": { + "runAsUser": 1 + } } - } - ] + ] + } } } } @@ -78,14 +78,13 @@ def test_deny_security_context(self): { "request": { "namespace": "user2", - }, - "object": { - "spec": { - "containers": [], - "securityContext": {"runAsUser": 3}}, + "object": { + "spec": { + "containers": [], + "securityContext": {"runAsUser": 3}}, - } - } + } + }} ) assert_that(response, equal_to({"response": {"allowed": False, "status": { @@ -101,14 +100,13 @@ def test_deny_unknown_user(self): { "request": { "namespace": "user2", - }, - "object": { - "spec": { - "containers": [], - "securityContext": {"runAsUser": 3}}, + "object": { + "spec": { + "containers": [], + "securityContext": {"runAsUser": 3}}, - } - } + } + }} ) assert_that(response, equal_to({"response": {"allowed": False, "status": { @@ -124,19 +122,18 @@ def test_deny_pod_security_context(self): { "request": { "namespace": "user2", - }, - "object": { - "kind": "Pod", - "spec": { + "object": { + "kind": "Pod", + "spec": { "securityContext": {"runAsUser": 2}, "containers": [ { "securityContext": {"runAsUser": 3} } ] + } } - } - } + }} ) assert_that(response, equal_to({"response": {"allowed": False, "status": { @@ -151,16 +148,16 @@ def test_unlabelled_namespace_can_use_any_uid(self): { "request": { "namespace": "kube-system", - }, - "object": { - # "kind": "Pod", - "spec": { - # "securityContext": {"runAsUser": 2}, - "containers": [ - { - # "securityContext": {"runAsUser": 3} - } - ] + "object": { + # "kind": "Pod", + "spec": { + # "securityContext": {"runAsUser": 2}, + "containers": [ + { + # "securityContext": {"runAsUser": 3} + } + ] + } } } }